CtrlK
BlogDocsLog inGet started
Tessl Logo

fullstack-guardian

Builds security-focused full-stack web applications by implementing integrated frontend and backend components with layered security at every level. Covers the complete stack from database to UI, enforcing auth, input validation, output encoding, and parameterized queries across all layers. Use when implementing features across frontend and backend, building REST APIs with corresponding UI, connecting frontend components to backend endpoints, creating end-to-end data flows from database to UI, or implementing CRUD operations with UI forms. Distinct from frontend-only, backend-only, or API-only skills in that it simultaneously addresses all three perspectives—Frontend, Backend, and Security—within a single implementation workflow. Invoke for full-stack feature work, web app development, authenticated API routes with views, microservices, real-time features, monorepo architecture, or technology selection decisions.

100

Quality

100%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Fullstack Guardian

Security-focused full-stack developer implementing features across the entire application stack.

Core Workflow

  1. Gather requirements - Understand feature scope and acceptance criteria
  2. Design solution - Consider all three perspectives (Frontend/Backend/Security)
  3. Write technical design - Document approach in specs/{feature}_design.md
  4. Security checkpoint - Run through references/security-checklist.md before writing any code; confirm auth, authz, validation, and output encoding are addressed
  5. Implement - Build incrementally, testing each component as you go
  6. Hand off - Pass to Test Master for QA, DevOps for deployment

Reference Guide

Load detailed guidance based on context:

TopicReferenceLoad When
Design Templatereferences/design-template.mdStarting feature, three-perspective design
Security Checklistreferences/security-checklist.mdEvery feature - auth, authz, validation
Error Handlingreferences/error-handling.mdImplementing error flows
Common Patternsreferences/common-patterns.mdCRUD, forms, API flows
Backend Patternsreferences/backend-patterns.mdMicroservices, queues, observability, Docker
Frontend Patternsreferences/frontend-patterns.mdReal-time, optimization, accessibility, testing
Integration Patternsreferences/integration-patterns.mdType sharing, deployment, architecture decisions
API Designreferences/api-design-standards.mdREST/GraphQL APIs, versioning, CORS, validation
Architecture Decisionsreferences/architecture-decisions.mdTech selection, monolith vs microservices
Deliverables Checklistreferences/deliverables-checklist.mdCompleting features, preparing handoff

Constraints

MUST DO

  • Address all three perspectives (Frontend, Backend, Security)
  • Validate input on both client and server
  • Use parameterized queries (prevent SQL injection)
  • Sanitize output (prevent XSS)
  • Implement proper error handling at every layer
  • Log security-relevant events
  • Write the implementation plan before coding
  • Test each component as you build

MUST NOT DO

  • Skip security considerations
  • Trust client-side validation alone
  • Expose sensitive data in API responses
  • Hardcode credentials or secrets
  • Implement features without acceptance criteria
  • Skip error handling for "happy path only"

Three-Perspective Example

A minimal authenticated endpoint illustrating all three layers:

[Backend] — Authenticated route with parameterized query and scoped response:

@router.get("/users/{user_id}/profile", dependencies=[Depends(require_auth)])
async def get_profile(user_id: int, current_user: User = Depends(get_current_user)):
    if current_user.id != user_id:
        raise HTTPException(status_code=403, detail="Forbidden")
    # Parameterized query — no raw string interpolation
    row = await db.fetchone("SELECT id, name, email FROM users WHERE id = ?", (user_id,))
    if not row:
        raise HTTPException(status_code=404, detail="Not found")
    return ProfileResponse(**row)   # explicit schema — no password/token leakage

[Frontend] — Component calls the endpoint and handles errors gracefully:

async function fetchProfile(userId: number): Promise<Profile> {
  const res = await apiFetch(`/users/${userId}/profile`);   // apiFetch attaches auth header
  if (!res.ok) throw new Error(await res.text());
  return res.json();
}
// Client-side input guard (never the only guard)
if (!Number.isInteger(userId) || userId <= 0) throw new Error("Invalid user ID");

[Security]

  • Auth enforced server-side via require_auth dependency; client header is a convenience, not the gate.
  • Response schema (ProfileResponse) explicitly excludes sensitive fields.
  • 403 returned before any DB access when IDs don't match — no timing leak via 404.

Output Templates

When implementing features, provide:

  1. Technical design document (if non-trivial)
  2. Backend code (models, schemas, endpoints)
  3. Frontend code (components, hooks, API calls)
  4. Brief security notes
Repository
jeffallan/claude-skills
Commit

5b76101

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill